I'm trying to apply route filter to a specific url. So, my file is under public directory:
/public/js/kcfinder/browse.php
My filter:
Route::filter('admin', function ()
{
if (!Sentry::check())
{
// if not logged in, redirect to login
return Redirect::to_route('admin_login');
}
elseif (!Sentry::user()->has_access('is_admin'))
{
//logout
Sentry::logout();
// has no access
return View::make('error.access_error');
}
});
Finally my pattern:
Route::filter('pattern: js/kcfinder/*', 'admin');
If I try to access
/public/js/kcfinder/browse.php
the rule does not work.
I can see whole contents of file.
If I try to acess
/public/js/kcfinder/blahblah.php
the filter works great. Because there is no file which named
blahblah.php
under the directory.
Any help would be really great!
That's because your .htaccess file says that if the request URI matches an existing file, then don't rewrite, just show/execute the file as it is.
So, you have two options:
You can create the necessary filters in your .htaccess file so that files in certain directories always get rewritten and sent to index.php.
RewriteCond %{REQUEST_URI} ^/js/kcfinder
RewriteRule \.php$ index.php [L,QSA]
This condition-and-rule set would need to be placed above the conditions that check for files and directories.
Alternatively, you can create authenticated routes in Laravel that manually fetch and execute the files. (This is not recommended as you would have to make use of eval().)
I've been down this path with trying to integrate ckfinder into Laravels auth system and ultimately found it to be too much effort. It's probably possible but my solution was simple hack. When I render the Ckeditor widget, I set a plain old session variable in PHP, then check for the existence of the session var in ckfinders auth check routine.
// When rendering widget
session_start();
$_SESSION['enable_ckeditor'] = true;
// In ckfinder somewhere
session_start();
return isset( $_SESSION['enable_ckeditor'] ) ?: $_SESSION['enable_ckeditor'];
Related
I am trying to create a login and admin section to my project, however, I do not want to actually have the folders (ROOT/login/) and (ROOT/admin/) on the server. Instead, when someone navigates to http://localhost/admin/, it instead includes another file to the existing index.php.
I know how to check for _GET and _POST, but that doesn't seem like the route I am looking for as I do not index.php?SOME_VALUE. Instead, I am looking for an actual folder (in the URL) that doesn't really exist on the server.
I hope I am making sense. Here is an example:
$conf_site_url = http://localhost/
if
$conf_site_url + $_SERVER['REQUEST_URI'] === 'http://localhost/admin/'
then
include(/driver/views/admin/page.php);
else if
$conf_site_url + $_SERVER['REQUEST_URI'] === 'http://localhost/login/'
then
include(/driver/views/login.php);
else
include(driver/view/site.php);
Basically, if admin/ or login/ are appended to the URL, then include a different file from a nested folder, however, if nothing, then include the standard site.php file.
I made some changes to the codes.
$conf_site_url = "http://localhost";
if($conf_site_url."".$_SERVER['REQUEST_URI'] === 'http://localhost/admin/' )
{
include("/driver/views/admin/page.php");
}else if($conf_site_url."".$_SERVER['REQUEST_URI'] === 'http://localhost/login/' ){
include("/driver/views/login.php");
}else{
include("driver/view/site.php");
}
You should not forget the htaccess file.
Based on the information provided by ahmetarpaci's response, adding a .htaccess file with:
RewriteRule ^(.*) index.php [PT,L]
does the trick.
Is there a way to attach middleware to a specific route in Wordpress or just in PHP? I'd like to run a middleware function before allowing access to the uploads folder to check if the user has access to the file before allowing them to download it.
I come from a background in node.js/express so if it helps I'd like to do something like this:
app.use('/wp-content/uploads', function(req, res, next) {
// do stuff with req and call next to continue,
// or use res to end the request early.
});
There are various WordPress plugins for restricting access to content or downloads, mostly based on the logic of been registered or not and what privileges that user has.
Basic logic behind them is like this :
// Redirect guests
function guest_redirect() {
$guest_routes = array(
'member-login',
'member-account',
'member-register',
'member-password-lost',
'member-password-reset'
);
// Force login or registration
if ( !is_user_logged_in() && !is_page($guest_routes) ) {
wp_redirect( 'member-login' );
exit;
}
}
add_action( 'template_redirect', 'guest_redirect' );
Also, WordPress has REST API (official doc here for your need). However, using own custom thing for production site using REST API without properly testing can be risky and complicated to use.
From what I get about your use case from your description, you can solve your problem just using one of the many wordpress plugins already available, for example you can use a "downnload manager" to handle the upload and download of the contents: https://wordpress.org/support/plugin/download-manager
or use something like https://wordpress.org/plugins/easy-digital-downloads/
You can find more plugins here https://wordpress.org/plugins/
If you really want to write something custom, you can add use a RewriteRule to send all the requests for the uploads folder through a "protect.php" script, adding something like this in the .htaccess file
RewriteCond %{REQUEST_FILENAME} -s
RewriteRule ^wp-content/uploads/(.*)$ protect.php?filename=$1 [L,QSA]
In the protect.php script you can implement you custom logic to allow/forbid the access the the specific "filename"
To use the WP functions inside you custom protect.php file you should include the wp-load.php, more or less like this:
require_once(rtrim($_SERVER['DOCUMENT_ROOT'], '/') . '/wp-load.php');
I have a subfolder that holds user uploaded files. I want to redirect all direct file requests to this folder to another .php script...so i can check if the user is logged in before i send/show the file to him.
For example:
/mainsite/uploads/user/2324/file.pdf
needs to be forwarded to
/mainsite/uploads/permissions.php
But i need inside the permissions.php to be able to do:
$url = $_SERVER['REQUEST_URI'];
and see what was the initial request...in order to readfile() the file after all the 'checking'.
I've tried this:
RewriteEngine On
RewriteRule ^/uploads/user/?$ /uploads/permissions.php [R=301,L]
but this is just a simple forwarding...i got no idea what file or folder the user requested.
I know i can do this by creating an individual htaccess file inside every folder that is created under 'user/{userid}' but i wanted a simpler function. I dont want to have 10000 htaccess files, if i can do this with just one.
Thanks
try with this syntax: (i added the R=301 part, which wasn't necessary in my version, so it is not fully tested, works without the R option)
RewriteRule "^/uploads/user/(.+)$" "/uploads/permissions.php?file=$1" [R=301,QSA,L]
You can the get your file var in the $_GET array in permissions.php. However, i wouldn't recommend to use directly this value because it can be unsecure. The best way is to only allow fixed values, with a switch for example, having filtered the var as a string before.
I have my Wordpress site at xroads.com
Inside, there is a folder called "_warehouse" which contains a php CRUD app
Is it possible to require the same login page I use for the Wordpress site to view the _warehouse directory?
Thanks in advance!
If the user already has an account in WordPress:
Redirect the user to the login form. Use wp_login_url with the $redirect parameter to set where they go after logging in:
$loginUrl = wp_login_url( home_url('_warehouse') );
https://codex.wordpress.org/Function_Reference/wp_login_url
Then use the wp_login action to manually authenticate the user in your application:
add_action('wp_login', function($username, $user) {
// Log user into external application
}, 10, 2);
https://codex.wordpress.org/Plugin_API/Action_Reference/wp_login
Actually setting the user as "logged in" is going to depend on how your external application is setup. It could be as simple as setting a session variable and then checking if that is set in your warehouse app.
Here is one possible solution (use at your own risk).
Create a .htaccess file in the _warehouse directory with the following content:
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^.*$ wplogin.php [NC,L]
This will redirect all requests for files that exist in _warehouse and any subdirectories to _warehouse/wplogin.php
Create _warehouse/wplogin.php with the following content:
<?php
// Edit this path to include wp-load.php from your WordPress directory
require_once '../wp-load.php';
if (!is_user_logged_in()) {
// if user is not logged in, set redirect URI, show WP login
$_REQUEST['redirect_to'] = $_SERVER['REQUEST_URI'];
require_once '../wordpress/wp-login.php';
exit;
} else {
// user is logged into wordpress - show the requsted file.
require_once $_SERVER['DOCUMENT_ROOT'] . $_SERVER['REQUEST_URI'];
}
Lastly, and very important, add this to your wp-config.php file:
define('COOKIEPATH', '/');
This is because WordPress will set cookies with a path specified. This would prevent the login cookies from being recognized in _warehouse.
And as I said, use at your own risk. It is not perfect but is probably the quickest way to achieve what you want and will handle many cases.
Note: it doesn't deal with directories with no index. If Apache Options +Indexes is on, someone may be able to see directory listings in _warehouse but if they try to access one it will show the login page.
My website structure somewhat looks like below
css/
lib/
js/
index.php
profile.php
products.php
checkout.php
orders.php
invoice.php
I have added a codeigniter folder in there ...
codeigniter/application/
codeigniter/application/controllers/
codeigniter/application/controllers/mycontroller.php
and other files
I can access CodeIgniter stuff by going to mywebsite.com/codeigniter/mycontroller etc fine.
However, I want to get rid of /codeigniter/ part from the URL. So I was wondering if it is possible to create a whitelist of the files which are CodeIgniter specific? For example, if the URL is mywebsite.com/mycontroller then it does CI stuff otherwise it looks for the plain PHP code file. I have only a couple of CI controllers and loads other non-CI files.
Any ideas?
I think you could use .htaccess to rewrite URL's that don't contain .php, css, lib and js. Something like:
RewriteCond %{REQUEST_URI} !^(\.php|css|js|lib)$
RewriteRule (.*) codeigniter/index.php/$1
So:
http://example.com/css/test.css
stays
http://example.com/css/test.css
(as will all requests to css|lib|js. You can append more things here for the rewrite to ignore)
http://example.com/controller/method
becomes
http://example.com/codeigniter/index.php/controller/method
You can test it out here: http://htaccess.madewithlove.be/
More on rewriting: http://httpd.apache.org/docs/current/mod/mod_rewrite.html
Short-term Solution
You can start by simply converting the index.php file into a controller and name it whatever you wish:
<?php
class New_default_controller extends CI_Controller {
public function index()
{
// home page stuff here
}
}
Alter the route.php file and set your default controller so that simply visiting your site will trigger the proper controller:
$route['default_controller'] = 'new_default_controller';
Apply the instructions for Removing the index.php file
Now calls to www.mysite.com/profile.php will access the profile.php at your root and calls to www.mysite.com/new_future_page will call your new_future_page controller.
Please let me know if any of this is confusing or you get stuck.
Optimal Solution
I wanted to leave a comment above but this would have been impossible to show as a comment.
You will have to take your PHP files and put them in the controllers folder like this:
codeigniter/application/controllers/profile.php
codeigniter/application/controllers/products.php
codeigniter/application/controllers/checkout.php
codeigniter/application/controllers/orders.php
codeigniter/application/controllers/invoice.php
Please go through and do the Tutorial before continuing any further. Specifically the Static Pages section will help you in achieving your goal.
You will have to convert your current PHP files to follow the flow of CodeIgniter